If we want to actively start using the HBAC feature, we need to disable this rule, otherwise it will always apply even if none of our other rules will apply and the access should be denied. However, if we disable this rule, immediately any access of existing users to existing hosts will be denied.

To avoid locking users out of their systems, we need to ensure that there is other rule for the existing hosts that will allow access to them, ensuring continuation of service. One possibility is the following setup: all existing machines will become members of new group allow_all_hosts and this in turn will become the target host group for new HBAC rule allow_all_users_services which will grant access to everyone on these machines. That way the existing behaviour will be preserved for existing hosts and users.

From now on, for access to work like it used to do before, any new host needs to be added to the allow_all_hosts using the ipa hostgroup-add-member or similar mechanism. Alternatively, it is also possible to use automember and default automember features to set the group membership automatically.

Note that there is ipa hbactest utility which can be used to test policies -- use it to test your setup before locking your users out of their systems.

Example of new service

Once the individual systems are enumerated in the allow_all_hosts host group, we can define new rules with possibly more targeted services to align some of those hosts to.

Let us assume we plan to run application wikiapp and want to have PAM service wikiapp with HBAC handled by the IPA server for the authentication and authorization.

We see that the rule allow_wikiapp matches which is good but allow_all_users_services matches as well. We probably want to remove the host from the hostgroup. But beware -- this might cut away our access to the machine via ssh if ssh is configured to use IPA HBAC:

# ipa hostgroup-remove-member allow_all_hosts --hosts=wikiapp.example.com
Host-group: allow_all_hosts
Description: Host group which will have allow_all_users_services HBAC enabled.
Member hosts: ipa.example.com, smtp.example.com
Member of HBAC rule: allow_all_users_services
---------------------------
Number of members removed 1
---------------------------

On the wikiapp.example.com machine, we want to create /etc/pam.d/wikiapp file with configuration specifying sssd as the mechanism for authentication and authorization: